Re: ntpd =< 4.0.99k remote buffer overflow

[Erik Fichtner]

On Thu, Apr 05, 2001 at 11:38:47AM +0200, Ogle Ron (Rennes) wrote:
> Until that time, we are blocking NTP access from the Internet (for those of
> us who use Internet stratum 1 servers) for the NTP protocol.  

> I suggest that other people in the same situation do the same until a proper
> fix is made.

Unfortunately, the exploit makes a really handy local exploit for a user
who can already get a binary onto the system.   Since the ntp server
will crash in its death throes, one can't really use it to fire a whole
sequence of commands into the system, but it's pretty easy to use it for
local privlege elevation.   Good luck with firewalling that. ;)

Thanks for the link to a patch, though.  It's worth looking at to see if it
really solves the problem or not. 

Also, has anyone tested this exploit against ntp implementations on routers
and such?   Some of us have to wait for a "maintenence window" before we
can potentially hork up a router. 

-- 
                        Erik Fichtner; Unix Ronin
                    http://www.obfuscation.org/techs/
"The reasonable man adapts himself to the world; the unreasonable one
persists in trying to adapt the world to himself.  Therefore, all progress
depends on the unreasonable." -- George Bernard Shaw

PGP signature